Debian 13.5 delivers a critical security update that patches vulnerabilities across essential packages like Apache2, OpenSSH, OpenSSL, and popular desktop applications. Existing installations can be upgraded seamlessly through standard package managers without requiring new installation media or full reboots in most cases. The release also removes the dav4tbsync package due to Thunderbird 140 integration and fixes boot problems for specific hardware configurations in the installer. Running this update keeps systems secure and stable, reinforcing why Debian's point releases remain a trusted choice for production environments.
Debian 13.5 Released: Update Trixie to Patch Critical Security Flaws Now
Debian 13.5 has arrived to patch a long list of security issues in the stable trixie release. System administrators and desktop users alike need to run an update to secure Apache2, OpenSSH, and the Linux kernel against flaws that could lead to remote code execution or privilege escalation. This point release focuses on stability and security rather than new features, so existing installations can be upgraded without reinstalling the OS.
Debian 13.5 Security Fixes and Package Updates
The update addresses dozens of Common Vulnerabilities and Exposures across critical infrastructure packages. Apache2 received patches for use-after-free bugs and authentication bypass issues that could let attackers take over a web server. OpenSSH fixes command execution flaws and incomplete application of key algorithms, which is vital for anyone managing remote servers via SSH. OpenSSL also gets a new upstream stable release to keep encryption routines secure. Desktop users running Firefox ESR, Chromium, or Thunderbird will find updates that patch browser engine vulnerabilities and fix issues in the email client. The LibreOffice suite and GIMP also receive security hardening to prevent crashes or code execution when opening malicious files. Server admins managing fleets of machines will appreciate that this point release bundles fixes for Apache2 and OpenSSH together, saving time compared to patching services individually over several weeks.
Upgrading Debian Trixie to Version 13.5
Updating an existing installation is straightforward and does not require new media. Users should point their package management system at a mirror that includes the proposed-updates repository or wait for the standard stable mirrors to sync. Running apt update followed by apt full-upgrade will pull in the new versions of all affected packages. The Debian installer has also been updated to include these fixes, so anyone planning a fresh install should check for new ISO images at the regular download locations soon. Those who frequently pull updates from security.debian.org will notice that most changes are already included here, making this update less disruptive than usual.
Removed Packages and Installer Changes
A few packages were dropped from the release due to changes in dependencies or superseded functionality. The dav4tbsync package was removed because it is now handled by Thunderbird 140, so users relying on that integration should verify their setup after upgrading. The Debian installer received updates to fix boot failures on boards using Starfive SoC chips by including the Cadence driver in initramfs-tools. This ensures systems with specific USB storage configurations can start up correctly without manual intervention.
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| 389-ds-base | Fix heap overflow issue [CVE-2025-14905] |
| 7zip | Relax Breaks / Replaces versions to ease upgrades from bookworm |
| apache2 | New upstream stable release; fix use-after-free issue [CVE-2026-23918]; fix privilege escalation issue [CVE-2026-24072]; fix NULL pointer dereference issues [CVE-2026-29169 CVE-2026-33007]; fix authentication bypass issue [CVE-2026-33006]; fix HTTP response splitting issue [CVE-2026-33523]; fix out-of-bounds read issues [CVE-2026-33857 CVE-2026-34032]; fix buffer over-read issue [CVE-2026-34059] |
| awstats | Prevent command injection [CVE-2025-63261] |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| beads | Rebuild with updated cimg |
| bepasty | Fix loading pygments CSS |
| bglibs | Rebuild with updated glibc |
| bird2 | ASPA: Fix downstream validation; BGP: Fix restart behavior on reconfiguration; filters: Fix string attributes; logging: Fix error handling |
| black | Fix arbitrary file write issue [CVE-2026-32274] |
| bubblewrap | Fix privilege escalation issue [CVE-2026-41163] |
| busybox | Rebuild with updated glibc |
| calibre | Fix path traversal issues [CVE-2026-25635 CVE-2026-25636 CVE-2026-26064 CVE-2026-26065]; fix code execution issue [CVE-2026-25731]; fix HTTP response header injection issue [CVE-2026-27810]; fix IP ban bypass issue [CVE-2026-27824] |
| catatonit | Rebuild with updated glibc |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| cimg | Fix overflow issue [CVE-2026-42144]; fix out of memory issue with crafted files [CVE-2026-42146] |
| cockpit | Fix code execution issue [CVE-2026-4631] |
| composer | Fix command injection issues [CVE-2026-40261 CVE-2026-40176] |
| condor | Rebuild with updated glibc |
| curl | Fix server certificate verification issue [CVE-2025-13034] |
| dar | Rebuild with updated glibc, libcap2, openssl |
| debian-installer | Bump linux ABI to 6.12.86+deb13 |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debmirror | Add debmirror-specific User-Agent header |
| distribution-gpg-keys | Update included keys |
| distro-info-data | Add Ubuntu 26.10 Stonking Stingray |
| distrobuilder | Rebuild with updated incus |
| docker.io | Rebuild with updated glibc |
| dovecot | Fix memory leak in CVE-2026-27857 fix |
| e2fsprogs | Rebuild with updated glibc |
| efibootguard | Rebuild against gnu-efi with #1086705 fixed |
| ejabberd | Ignore certificate purpose for incoming s2s connections |
| ejabberd-contrib | Rebuild with updated ejabberd |
| epics-base | Skip failing build-time test |
| erlang | Fix path traversal issues [CVE-2026-21620 CVE-2026-23942[; fix HTTP request smuggling issue [CVE-2026-23941]; fix denial of service issue [CVE-2026-23943] |
| erlang-p1-tls | Accept client certificates without sslpurpose flag |
| exim4 | Fix GnuTLS hostname verify of a server certificate with a zero-length Subject; fix denial of service issue [CVE-2026-40684]; fix out-of-bounds read/write issues [CVE-2026-40685 CVE-2026-40686 CVE-2026-40687] |
| feed2toot | Ensure compatibility with Python 3.13 |
| firewalld | Prevent local users from being able to modify runtime firewall state without prior authentication if the desktop policy is active [CVE-2026-4948] |
| freerdp3 | Fix issues with large certificates; fix clipboard paste issue; fix segmentation fault issue [CVE-2025-4478]; fix use-after-free issues [CVE-2026-22851 CVE-2026-22856 CVE-2026-22857 CVE-2026-23883 CVE-2026-23884 CVE-2026-24491 CVE-2026-24675 CVE-2026-24676 CVE-2026-24678 CVE-2026-24680 CVE-2026-24681 CVE-2026-24683 CVE-2026-24684 CVE-2026-25952 CVE-2026-25953 CVE-2026-25954 CVE-2026-25955 CVE-2026-25959 CVE-2026-25997 CVE-2026-26986]; fix buffer overflow issues [CVE-2026-22852 CVE-2026-22853 CVE-2026-22854 CVE-2026-23530 CVE-2026-23531 CVE-2026-23532 CVE-2026-23533 CVE-2026-23534 CVE-2026-23732]; fix out-of-bounds read issues [CVE-2026-22855 CVE-2026-22859 CVE-2026-24677 CVE-2026-24679 CVE-2026-24682 CVE-2026-25941 CVE-2026-25942]; fix buffer underflow issues [CVE-2026-22858 CVE-2026-26955]; fix null pointer dereference issue [CVE-2026-23948]; fix buffer over-read issue [CVE-2026-26271; fix out-of-bounds write issue [CVE-2026-26965]; fix denial of service issue [CVE-2026-27015]; fix buffer overflow issues [CVE-2026-29774 CVE-2026-31806 CVE-2026-31883 CVE-2026-33982 CVE-2026-33984]; fix out-of-bounds read/write issues [CVE-2026-29775 CVE-2026-31885 CVE-2026-31897 CVE-2026-33986 CVE-2026-33987]; fix integer underflow issue [CVE-2026-29776]; fix denial of service issues [CVE-2026-31884 CVE-2026-33952 CVE-2026-33977 CVE-2026-33983]; fix data leak issue [CVE-2026-33985]; fix double free issue [CVE-2026-33995]; fix path traversal issue [CVE-2026-40254] |
| fwupd | Thunderbolt: Fix deploying the thunderbolt controller on the X280 |
| git-lfs | Fix arbitrary file write issue [CVE-2025-26625] |
| glance | Fix server-side request forgery issue [CVE-2026-34881]; fix build failure |
| glib2.0 | Fix timezone handling with Debian & Ubuntu's symlinks; fix missing input validation in g_buffered_input_stream_peek [CVE-2026-0988]; fix integer overflow in base64 encoding [CVE-2026-1484]; fix buffer underflow issue in content type parsing [CVE-2026-1485]; fix integer overflow in unicode conversion [CVE-2026-1489] |
| glibc | Fix incorrect handling of DNS responses [CVE-2026-4437]; fix return of invalid DNS hostnames [CVE-2026-4438]; fix assertion failure [CVE-2026-4046]; fix a null pointer dereference in the nss_database_check_reload_and_get function; fix invalid pointer arithmetic in ANSI_X3.110 iconv module; various test suite fixes |
| gnupg2 | Rebuild with updated glibc |
| gnutls28 | Preserve extension order across client Hello retry |
| grub-efi-amd64-signed | Fix an illegal instruction on riscv64 |
| grub-efi-arm64-signed | Fix an illegal instruction on riscv64 |
| grub-efi-ia32-signed | Fix an illegal instruction on riscv64 |
| grub2 | Fix an illegal instruction on riscv64 |
| gvfs | Use control connection address for PASV data [CVE-2026-28295]; reject paths containing CR/LF characters [CVE-2026-28296] |
| harfbuzz | Fix NULL pointer dereference issue [CVE-2026-22693] |
| heimdal | Fix memory leak in heimdal-clients; add build dependency on libcrypt-dev |
| initramfs-tools | Include Cadence driver, fixing failure to boot from USB storage on boards using Starfive SoC; unmkinitramfs: Accept lower-case hex digits in cpio headers, fixing compatibility with some other tools |
| integrit | Rebuild with updated glibc |
| jpeg-xl | Fix uninitialised memory read issues [CVE-2025-12474 CVE-2026-1837]; fix cross build failure; fix nojava build profile; fix build on big-endian architectures |
| jq | Fix buffer overflow issue [CVE-2026-32316]; fix denial of service issues [CVE-2026-33947 CVE-2026-39956]; fix validation bypass issue [CVE-2026-33948]; fix out-of-bounds read issue [CVE-2026-39979]; fix use of hardcoded seed [CVE-2026-40164] |
| kissfft | Fix integer overflow issues [CVE-2025-34297 CVE-2026-41445] |
| kpackage | Skip unreliable build-time test |
| lemonldap-ng | OIDC: don't ignore non default signature algorithm; OIDC: register Front-Channel-Logout URL; really hide passwords in session-explorer when stored in session; update documentation to avoid using unsecured Nginx variable |
| libarchive | Fix out-of-bounds read issues [CVE-2025-5918 CVE-2026-4424]; fix denial of service issues [CVE-2026-4111 CVE-2026-4426]; fix possible code execution issue [CVE-2026-5121] |
| libcap2 | Fix time of check / time of use issue [CVE-2026-4878] |
| libcdio | Fix buffer overflow issue [CVE-2024-36600] |
| libcoap3 | Fix out-of-bounds read issue [CVE-2026-29013]; fix buffer overflow issue [CVE-2025-34468] |
| libcryptx-perl | Fix Crypt::PK key generation is not fork safe and will generate identical keys [CVE-2026-41564] |
| libdatetime-timezone-perl | Update to database 2026a; update included timezone data |
| libexif | Fix integer underflow issues [CVE-2026-40386 CVE-2026-32775]; fix integer overflow issue [CVE-2026-40385] |
| libfinance-quote-perl | Fix date in quotes retrieved from XETRA source |
| libnet-cidr-lite-perl | Fix ACL bypass issues [CVE-2026-40198 CVE-2026-40199] |
| libreoffice-texmaths | Add dependency on dvipng/dvisvgm |
| libtext-csv-xs-perl | Fix stack corruption issue [CVE-2026-7111] |
| libvncserver | Fix out of bounds read issue [CVE-2026-32853]; fix NULL pointer dereference issue [CVE-2026-32854] |
| libxml-security-java | Fix private key disclosure issue [CVE-2023-44483] |
| libxslt | Fix deterministic generate-id() regression causing build failures in other packages |
| lxc | Fix authorisation bypass issue [CVE-2026-39402] |
| mailman-suite | Add django.contrib.humanize to recommended apps in sample config |
| mapserver | Fix buffer overflow issue [CVE-2026-33721] |
| mksh | Rebuild with updated musl |
| modsecurity-crs | Fix file extension blocking bypass issue [CVE-2026-33691] |
| mongo-c-driver | Fix insufficient validation issues [CVE-2025-14911 CVE-2026-6231]; fix denial of service issue [CVE-2026-4359]; fix buffer overflow issue [CVE-2026-6691]; improve handling of corrupt GridFS files |
| mumble | Fix Opus buffer overrun leading to crash |
| musl | Fix denial of service issue [CVE-2026-6042]; fix stack corruption issue [CVE-2026-40200] |
| nano | Fix overly broad permissions issue [CVE-2026-6842]; fix format string issue [CVE-2026-6843] |
| nautilus-wipe | Remove Multi-Arch: same |
| netatalk | Fix authentication in complex AD environments |
| nginx | Fix buffer overflow issues [CVE-2026-27654 CVE-2026-27784 CVE-2026-32647]; fix session authentication issues [CVE-2026-27651 CVE-2026-28753]; fix OCSP result bypass issue [CVE-2026-28755]; use $host instead of $http_host |
| node-flatted | Fix prototype pollution issue [CVE-2026-33228] |
| node-node-rsa | Fix builds with OpenSSL 3 |
| node-tar | Properly sanitize absolute linkpaths [CVE-2026-23745]; normalize out unicode ligatures [CVE-2026-23950]; properly sanitize hard links containing '..' [CVE-2026-24842]; prevent hardlinking to files outside the extraction root [CVE-2026-26960]; strip leading '/' before sanitizing '..' [CVE-2026-29786]; prevent escaping symlinks with drive-relative paths [CVE-2026-31802] |
| numba | Conditionally skip tests requiring more CPUs than available |
| openssh | Ensure scp does not unexpectedly make transferred files setuid or setgid [CVE-2026-35385]; fix command execution issue [CVE-2026-35386]; fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys [CVE-2026-35387]; use connection multiplexing confirmation for proxy-mode multiplexing sessions [CVE-2026-35388]; fix handling of the authorized_keys principals option [CVE-2026-35414]; validate user and host names for ProxyJump/-J options passed via the command line; IPQoS handling improvements; don't reuse c->isatty for signalling that the remote channel has a tty attached |
| openssl | New upstream stable release |
| orca | Remove lightdm wrapper on package removal |
| osdlyrics | Add missing runtime dependency python3-pycurl; rebuild in a clean environment |
| pgbouncer | Fix integer overflow issue [CVE-2026-6664]; fix stack overflow issues [CVE-2026-6665]; fix NULL pointer dereference issue [CVE-2026-6666]; fix missing authorization check [CVE-2026-6667] |
| phosh | Cell-broadcast-prompt: close dialog on swipe; strip whitespace; wifi-network: don't unconditionally overwrite active access point; don't set active indicator visible |
| php-league-commonmark | Fix DisallowedRawHtml bypass via newline/tab in tag names [CVE-2026-30838]; fix DomainFilteringAdapter hostname boundary bypass [CVE-2026-33347] |
| php-phpseclib | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| php-phpseclib3 | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| phpseclib | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| proftpd-dfsg | Fix SQL injection issue [CVE-2026-42167] |
| pymupdf | Improve safety of 'pymupdf embed-extract' when dealing with existing files [CVE-2026-3029] |
| python-authlib | Fix cross-site request forgery issue [CVE-2025-68158]; fix denial of service issues [CVE-2025-62706 CVE-2025-61920]; fix policy bypass issue [CVE-2025-59420] |
| python-bottle-sqlite | Fix compaibility with Python 3.11+ |
| python-certbot | Re-use selected profile for renewals |
| python-ldap | Fix insufficient escaping issue [CVE-2025-61911]; fix denial of service issue [CVE-2025-61912] |
| python-mapbox-earcut | Remove Multi-Arch: same annotation |
| python-oslo.db | Fix compatibility with newer mariadb versions |
| python3-lxc | Fix compatibility with Python 3.13 |
| python3.13 | Fix header injection issues [CVE-2025-11468 CVE-2025-15282 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299]; fix denial of service issues [CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194]; fix incorrect parsing of TarInfo header [CVE-2025-13462]; fix insufficient validation in zipFile [CVE-2025-8291]; fix missing sys.audit invocation [CVE-2026-2297]; fix early halt of base64 processing [CVE-2026-3446]; fix validation bypass issue [CVE-2026-3644]; fix stack overflow issue [CVE-2026-4224]; fix insufficient validation issue [CVE-2026-4519]; fix insufficient escaping issue [CVE-2026-6019]; fix use-after-free issue |
| qcoro | Skip unreliable build-time tests |
| qemu | Rebuild with updated glib2.0, glibc |
| qt6-base | Fix data race issues |
| remmina | Disable phone home functionality |
| request-tracker5 | Fix builds of CKEditor when firefox is >= 148 |
| rsync | Fix symlink handling on the receiver; fix use-after-free issue [CVE-2026-41035] |
| sash | Rebuild with updated glibc |
| sed | Fix time of check / time of use issue [CVE-2026-5958] |
| snapd | Rebuild with updated libcap2, glibc |
| starlet | Fix HTTP request smuggling issue [CVE-2026-40561] |
| stayrtr | Stop serving stale VRPs when the validator is stuck; use Restart=on-abnormal instead of on-abort |
| sudo | Fix privilege escalation issue [CVE-2026-35535] |
| supermin | Rebuild with updated musl |
| superqt | Skip unreliable font metrics test |
| suricata | Fix denial of service issues [CVE-2026-31932 CVE-2026-31933 CVE-2026-31935 CVE-2026-31937] |
| swupdate | Fix denial of service issue [CVE-2026-28525] |
| sylpheed | Add link check to address [CVE-2021-37746] |
| systemd | New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226] |
| systemd-boot-efi-amd64-signed | New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226] |
| systemd-boot-efi-arm64-signed | New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226] |
| tini | Rebuild with updated glibc |
| tiv | Rebuild with updated cimg |
| toil | Conditionally skip build-time tests requiring more CPUs than available |
| tripwire | Rebuild with updated glibc |
| tsocks | Rebuild with updated glibc |
| tzdata | New upstream release; update data for British Columbia |
| unbound | Never try TLS to reach root nameservers |
| user-mode-linux | Rebuild with updated linux |
| vips | Fix buffer overflow issues [CVE-2026-2913 CVE-2026-3147 CVE-2026-3281]; fix memory corruption issue [CVE-2026-3145]; fix null pointer dereference issue [CVE-2026-3146]; fix out of bound read issues [CVE-2026-3282 CVE-2026-3283]; fix integer overflow issue [CVE-2026-3284] |
| xorg-server | Fix buffer re-use issue [CVE-2026-33999]; fix / improve bounds checking [CVE-2026-34000 CVE-2026-34003]; fix use after free issue [CVE-2026-34001]; fix out-of-bounds read issue [CVE-2026-34002] |
| zsh | Rebuild with updated libcap2, glibc |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| dav4tbsync | Superseded by Thunderbird 140 |
Give your system a refresh. The Debian project continues to prove why stable releases are trusted for production environments by keeping things secure without breaking compatibility.
